--- tools/libxc/xc_dom_bzimageloader.c 2009-11-10 23:12:56.000000000 +0800 +++ tools/libxc/xc_dom_bzimageloader.c 2011-10-09 20:10:08.972815311 +0800 @@ -308,19 +308,19 @@ extern struct xc_dom_loader elf_loader; -static unsigned int payload_offset(struct setup_header *hdr) +static int check_magic(struct xc_dom_image *dom, const void *magic, size_t len) { - unsigned int off; + if (len > dom->kernel_size) + return 0; + + return (memcmp(dom->kernel_blob, magic, len) == 0); + } - off = (hdr->setup_sects + 1) * 512; - off += hdr->payload_offset; - return off; -} - -static int xc_dom_probe_bzimage_kernel(struct xc_dom_image *dom) +static int check_bzimage_kernel(struct xc_dom_image *dom, int verbose) { struct setup_header *hdr; - int ret; + uint64_t payload_offset, payload_length; + /* int ret; */ if ( dom->kernel_blob == NULL ) { @@ -352,20 +352,47 @@ return -EINVAL; } - dom->kernel_blob = dom->kernel_blob + payload_offset(hdr); - dom->kernel_size = hdr->payload_length; + /* upcast to 64 bits to avoid overflow */ + /* setup_sects is u8 and so cannot overflow */ + payload_offset = (hdr->setup_sects + 1) * 512; + payload_offset += hdr->payload_offset; + payload_length = hdr->payload_length; - if ( memcmp(dom->kernel_blob, "\037\213", 2) == 0 ) - { +/* if ( memcmp(dom->kernel_blob, "\037\213", 2) == 0 ) + { ret = xc_dom_try_gunzip(dom, &dom->kernel_blob, &dom->kernel_size); - if ( ret == -1 ) + if ( ret == -1 ) */ + if ( payload_offset >= dom->kernel_size ) + { + xc_dom_panic(XC_INVALID_KERNEL, "%s: payload offset overflow", + __FUNCTION__); + return -EINVAL; + } + if ( (payload_offset + payload_length) > dom->kernel_size ) + { + xc_dom_panic(XC_INVALID_KERNEL, "%s: payload length overflow", + __FUNCTION__); + } + + dom->kernel_blob = dom->kernel_blob + payload_offset; + dom->kernel_size = payload_length; + + if ( check_magic(dom, "\037\213", 2) ) + { + if ( xc_dom_try_gunzip(dom, &dom->kernel_blob, &dom->kernel_size) == -1 ) { - xc_dom_panic(XC_INVALID_KERNEL, - "%s: unable to gzip decompress kernel\n", - __FUNCTION__); + if ( verbose ) + xc_dom_panic(XC_INVALID_KERNEL, "%s: unable to decompress kernel\$n", + __FUNCTION__); return -EINVAL; } } + else + { + xc_dom_panic(XC_INVALID_KERNEL, "%s: unknown compression format\n", + __FUNCTION__); + return -EINVAL; + } else if ( memcmp(dom->kernel_blob, "\102\132\150", 3) == 0 ) { ret = xc_try_bzip2_decode(dom, &dom->kernel_blob, &dom->kernel_size);